10 October 2025
Google Threat Intelligence Group and Mandiant have revealed that cybercriminals affiliated with the CL0P extortion group exploited a zero-day vulnerability in Oracle E-Business Suite (EBS) to carry out a widespread data theft and extortion campaign.
The initial breach likely occurred as early as 10 July 2025, with attackers chaining together up to five vulnerabilities, including a zero-day believed to be CVE-2025-61882, to achieve unauthenticated remote code execution against targeted organisations.
Starting from late September 2025, the threat actors began sending large volumes of emails to executives across various organisations, claiming they had compromised their Oracle EBS environments and exfiltrated sensitive documents. These emails were part of a coordinated extortion effort, supported by evidence of data exfiltration dating back to July, before patches addressing the vulnerabilities were released in July and October 2025. The attack involved sophisticated, multi-stage, fileless malware — such as GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE — which enabled the threat actors to evade traditional detection mechanisms and maintain persistence within compromised systems.
The attack chain typically started with a POST request to the /OA_HTML/SyncServlet endpoint, exploiting the XDO Template Manager to create malicious templates embedded with XML Stylesheet Language (XSL) payloads. These payloads, when executed via the system’s template preview functionality, granted attackers control over the affected servers. The malware included Java payloads like GOLDVEIN.JAVA, functioning as a downloader, and the SAGEGIFT loader, which deployed further implants such as SAGELEAF and SAGEWAVE for persistence and additional module deployment. The attackers also used compromised email accounts to send extortion demands, often attaching legitimate document listings from victim systems to lend credibility to their threats.
While CL0P’s data leak site, active since 2020, has historically been used for ransomware extortion, recent activity shows a shift toward exploiting zero-day vulnerabilities for data theft. Although many of these operations are linked to the group known as FIN11, there is evidence suggesting multiple clusters and partnerships involved, making attribution complex. The campaigns display tactics similar to previous CL0P operations, including the use of Java-based loaders and backdoors.
Organisations are urged to prioritise applying the emergency patches issued by Oracle on October 4, 2025, to mitigate ongoing risks. Experts recommend reviewing the XDO_TEMPLATES_B and XDO_LOBS database tables for malicious templates, restricting unnecessary outbound internet access from Oracle EBS servers, and monitoring network logs for suspicious activity. Indicators of compromise include IP addresses used during exploitation, targeted endpoint paths, and specific email addresses involved in extortion communications. Detection strategies focusing on Java malware behaviours and anomalous requests are also advised to identify and respond to ongoing threats.
